

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="Docutils 0.19: https://docutils.sourceforge.io/" />

  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>Cephx 配置参考 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../../_static/css/custom.css" type="text/css" />

  
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/jquery.js"></script>
        <script src="../../../_static/_sphinx_javascript_frameworks_compat.js"></script>
        <script data-url_root="../../../" id="documentation_options" src="../../../_static/documentation_options.js"></script>
        <script src="../../../_static/doctools.js"></script>
        <script src="../../../_static/sphinx_highlight.js"></script>
    
    <script type="text/javascript" src="../../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../../genindex/" />
    <link rel="search" title="Search" href="../../../search/" />
    <link rel="next" title="监视器配置参考" href="../mon-config-ref/" />
    <link rel="prev" title="Messenger v2" href="../msgr2/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    <div role="navigation" aria-label="Page navigation">
  <ul class="wy-breadcrumbs">
      <li><a href="../../../" class="icon icon-home" aria-label="Home"></a></li>
          <li class="breadcrumb-item"><a href="../../">Ceph 存储集群</a></li>
          <li class="breadcrumb-item"><a href="../">配置</a></li>
      <li class="breadcrumb-item active">Cephx 配置参考</li>
      <li class="wy-breadcrumbs-aside">
            <a href="../../../_sources/rados/configuration/auth-config-ref.rst.txt" rel="nofollow"> View page source</a>
      </li>
  </ul>
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../../" class="icon icon-home"> Ceph
          

          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../start/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephadm/">Cephadm</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../">Ceph 存储集群</a><ul class="current">
<li class="toctree-l2 current"><a class="reference internal" href="../">配置</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../storage-devices/">存储设备</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-conf/">配置 Ceph</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/">通用选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#ceph-network-config">网络</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#id3">监视器</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#ceph-osd-config">认证</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#osds">OSDs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#id5">心跳</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#ceph-logging-and-debugging">日志记录、调试</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#ceph-conf">ceph.conf 实例</a></li>
<li class="toctree-l3"><a class="reference internal" href="../common/#ceph-runtime-config">跑多个集群（已废弃）</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network-config-ref/">网络选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../msgr2/">信使协议 v2</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">认证选项</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id1">部署场景</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id3">启用和禁用 Cephx</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id6">配置选项</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../mon-config-ref/">监视器选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mon-lookup-dns/">通过 DNS 查询监视器</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mon-osd-interaction/">心跳选项（监视器与 OSD 的的交互）</a></li>
<li class="toctree-l3"><a class="reference internal" href="../osd-config-ref/">OSD 选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mclock-config-ref/">DmClock 配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="../bluestore-config-ref/">BlueStore 配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="../filestore-config-ref/">FileStore 配置</a></li>
<li class="toctree-l3"><a class="reference internal" href="../journal-ref/">日志选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../pool-pg-config-ref/">存储池、归置组和 CRUSH 选项</a></li>
<li class="toctree-l3"><a class="reference internal" href="../general-config-ref/">常规选项</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../operations/">运维</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/">    手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../api/">APIs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../monitoring/">监控概览</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../hardware-monitoring/">硬件监控</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <section id="cephx">
<span id="rados-cephx-config-ref"></span><h1>Cephx 配置参考<a class="headerlink" href="#cephx" title="Permalink to this heading"></a></h1>
<p>CephX 协议会默认开启。CephX 的加密认证要耗费一定计算资源，但通常很低。如果您的客户端和服务器网络环境相当安全，而且认证的负面效应更大，你可以关闭它。
<strong>通常不建议您禁用认证</strong>。</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>如果禁用了认证，就会有篡改客户端/服务器消息这样的中间人攻击风险，这会导致灾难性后果。</p>
</div>
<p>关于创建用户请参考<a class="reference external" href="../../operations/user-management">用户管理</a>；关于 Cephx 的体系结构请参考<a class="reference external" href="../../../architecture#high-availability-authentication">体系结构——高可用性认证</a>。</p>
<section id="id1">
<h2>部署场景<a class="headerlink" href="#id1" title="Permalink to this heading"></a></h2>
<p>部署一套 Ceph 集群主要有两种情形，影响你首次配置 Cephx 的方式。
大多数 Ceph 新手都用 <code class="docutils literal notranslate"><span class="pre">cephadm</span></code> 创建集群（最简单）。
对于用其它部署工具（比如 Chef 、 Juju 、 Puppet 等等）的集群，
你就得执行手工步骤、或者配置部署工具，
让它们来自举引导你的监视器。</p>
<section id="id2">
<h3>手动部署<a class="headerlink" href="#id2" title="Permalink to this heading"></a></h3>
<p>如果你手动部署集群，你就得手动自举引导监视器、并创建 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 用户及其密钥环。要想自举引导监视器，按照 <a class="reference external" href="../../../install/manual-deployment#monitor-bootstrapping">监视器的自举引导</a> 里的步骤。
那些自举引导监视器的步骤是你必须执行的逻辑步骤，使用第三方部署工具
（如 Chef 、 Puppet 、 Juju 等等）时也是这些步骤。</p>
</section>
</section>
<section id="id3">
<h2>启用和禁用 Cephx<a class="headerlink" href="#id3" title="Permalink to this heading"></a></h2>
<p>启用 Cephx 需要你为监视器、 OSD 和元数据服务器部署密钥。
如果你只是简单地打开、关闭 Cephx ，那就没必要重复那些自举引导步骤。</p>
<section id="id4">
<h3>启用 Cephx<a class="headerlink" href="#id4" title="Permalink to this heading"></a></h3>
<p>启用 <code class="docutils literal notranslate"><span class="pre">cephx</span></code> 后， Ceph 将在默认搜索路径（包括
<code class="docutils literal notranslate"><span class="pre">/etc/ceph/ceph.$name.keyring</span></code> ）里查找密钥环。你可以在
<a class="reference external" href="../ceph-conf">Ceph 配置</a>文件的 <code class="docutils literal notranslate"><span class="pre">[global]</span></code> 段里添加 <code class="docutils literal notranslate"><span class="pre">keyring</span></code> 选项来修改，但不推荐。</p>
<p>在禁用了 CephX 的集群上执行下面的步骤来启用它，如果你
（或者部署工具）已经生成了密钥，你可以跳过相关步骤。</p>
<ol class="arabic">
<li><p>创建 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 密钥，并为客户端保存此密钥的副本：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><style type="text/css">
span.prompt1:before {
  content: "$ ";
}
</style><span class="prompt1">ceph<span class="w"> </span>auth<span class="w"> </span>get-or-create<span class="w"> </span>client.admin<span class="w"> </span>mon<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>mds<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>mgr<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>osd<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>-o<span class="w"> </span>/etc/ceph/ceph.client.admin.keyring</span>
</pre></div></div><p><strong>警告：</strong> 此命令会覆盖任何存在的
<code class="docutils literal notranslate"><span class="pre">/etc/ceph/client.admin.keyring</span></code> 文件，如果部署工具已经完成此步骤，千万别再执行此命令。多加小心！</p>
</li>
<li><p>创建监视器集群所需的密钥环、并给它们生成密钥。</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph-authtool<span class="w"> </span>--create-keyring<span class="w"> </span>/tmp/ceph.mon.keyring<span class="w"> </span>--gen-key<span class="w"> </span>-n<span class="w"> </span>mon.<span class="w"> </span>--cap<span class="w"> </span>mon<span class="w"> </span><span class="s1">&#39;allow *&#39;</span></span>
</pre></div></div></li>
<li><p>把监视器密钥环复制到 <code class="docutils literal notranslate"><span class="pre">ceph.mon.keyring</span></code> 文件，
再把此文件复制到各监视器的 <code class="docutils literal notranslate"><span class="pre">mon</span> <span class="pre">data</span></code> 目录下。
比如要把它复制给名为 <code class="docutils literal notranslate"><span class="pre">ceph</span></code> 集群的 <code class="docutils literal notranslate"><span class="pre">mon.a</span></code> ，
用此命令：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">cp<span class="w"> </span>/tmp/ceph.mon.keyring<span class="w"> </span>/var/lib/ceph/mon/ceph-a/keyring</span>
</pre></div></div></li>
<li><p>为每个 MGR 生成一个密钥， <code class="docutils literal notranslate"><span class="pre">{$id}</span></code> 是 MGR 的名字：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>auth<span class="w"> </span>get-or-create<span class="w"> </span>mgr.<span class="o">{</span><span class="nv">$id</span><span class="o">}</span><span class="w"> </span>mon<span class="w"> </span><span class="s1">&#39;allow profile mgr&#39;</span><span class="w"> </span>mds<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>osd<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>-o<span class="w"> </span>/var/lib/ceph/mgr/ceph-<span class="o">{</span><span class="nv">$id</span><span class="o">}</span>/keyring</span>
</pre></div></div></li>
<li><p>为每个 OSD 生成密钥， <code class="docutils literal notranslate"><span class="pre">{$id}</span></code> 是 OSD 编号：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>auth<span class="w"> </span>get-or-create<span class="w"> </span>osd.<span class="o">{</span><span class="nv">$id</span><span class="o">}</span><span class="w"> </span>mon<span class="w"> </span><span class="s1">&#39;allow rwx&#39;</span><span class="w"> </span>osd<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>-o<span class="w"> </span>/var/lib/ceph/osd/ceph-<span class="o">{</span><span class="nv">$id</span><span class="o">}</span>/keyring</span>
</pre></div></div></li>
<li><p>为每个 MDS 生成密钥， <code class="docutils literal notranslate"><span class="pre">{$id}</span></code> 是 MDS 的标识字母：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">ceph<span class="w"> </span>auth<span class="w"> </span>get-or-create<span class="w"> </span>mds.<span class="o">{</span><span class="nv">$id</span><span class="o">}</span><span class="w"> </span>mon<span class="w"> </span><span class="s1">&#39;allow rwx&#39;</span><span class="w"> </span>osd<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>mds<span class="w"> </span><span class="s1">&#39;allow *&#39;</span><span class="w"> </span>mgr<span class="w"> </span><span class="s1">&#39;allow profile mds&#39;</span><span class="w"> </span>-o<span class="w"> </span>/var/lib/ceph/mds/ceph-<span class="o">{</span><span class="nv">$id</span><span class="o">}</span>/keyring</span>
</pre></div></div></li>
<li><p>把以下配置加入 <a class="reference external" href="../ceph-conf">Ceph 配置</a>文件的
<code class="docutils literal notranslate"><span class="pre">[global]</span></code> 段下以启用 CephX 认证：</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="na">auth_cluster_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">cephx</span>
<span class="na">auth_service_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">cephx</span>
<span class="na">auth_client_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">cephx</span>
</pre></div>
</div>
</li>
<li><p>启动或重启 Ceph 集群，详情见<a class="reference external" href="../../operations/operating">操纵集群</a>。</p></li>
</ol>
<p>要手动自启监视器，请参考<a class="reference external" href="../../../install/manual-deployment">手动部署</a>。</p>
</section>
<section id="id5">
<h3>禁用 Cephx<a class="headerlink" href="#id5" title="Permalink to this heading"></a></h3>
<p>下述步骤描述了如何禁用 CephX 。
如果你的集群环境相对安全，可以减少认证耗费的计算资源，然而<strong>我们不推荐</strong>。
但是临时禁用认证会使安装、和/或排障更简单，
可以稍后重新启用。</p>
<ol class="arabic">
<li><p>把下列配置加入 <a class="reference external" href="../ceph-conf">Ceph 配置</a>文件的 <code class="docutils literal notranslate"><span class="pre">[global]</span></code> 段下即可禁用 CephX 认证：</p>
<div class="highlight-ini notranslate"><div class="highlight"><pre><span></span><span class="na">auth_cluster_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">none</span>
<span class="na">auth_service_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">none</span>
<span class="na">auth_client_required</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s">none</span>
</pre></div>
</div>
</li>
<li><p>启动或重启 Ceph 集群，具体参考<a class="reference external" href="../../operations/operating">操纵集群</a>。</p></li>
</ol>
</section>
</section>
<section id="id6">
<h2>配置选项<a class="headerlink" href="#id6" title="Permalink to this heading"></a></h2>
<section id="id7">
<h3>启用事项<a class="headerlink" href="#id7" title="Permalink to this heading"></a></h3>
<p><code class="docutils literal notranslate"><span class="pre">auth_cluster_required</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果启用此配置选项， Ceph 存储集群守护进程
（即 <code class="docutils literal notranslate"><span class="pre">ceph-mon</span></code> 、 <code class="docutils literal notranslate"><span class="pre">ceph-osd</span></code> 、 <code class="docutils literal notranslate"><span class="pre">ceph-mds</span></code>
和 <code class="docutils literal notranslate"><span class="pre">ceph-mgr</span></code> ）需要相互验证。
有效配置有 <code class="docutils literal notranslate"><span class="pre">cephx</span></code> 或 <code class="docutils literal notranslate"><span class="pre">none</span></code> 。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">cephx</span></code>.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">auth_service_required</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果启用了此配置选项，那么只有当 Ceph 客户端与
Ceph 存储集群通过身份验证时， Ceph 客户端才能访问 Ceph 服务。
有效设置为 <code class="docutils literal notranslate"><span class="pre">cephx</span></code> 或 <code class="docutils literal notranslate"><span class="pre">none</span></code> 。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">cephx</span></code>.</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">auth_client_required</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果启用了此配置选项，
则只有在 Ceph 客户端通过了 Ceph 存储集群的身份验证时，
Ceph 客户端和 Ceph 存储集群之间才能建立通信。
有效配置有 <code class="docutils literal notranslate"><span class="pre">cephx</span></code> 或 <code class="docutils literal notranslate"><span class="pre">none</span></code> 。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">cephx</span></code>.</p>
</dd>
</dl>
</section>
<section id="index-0">
<span id="id8"></span><h3>密钥<a class="headerlink" href="#index-0" title="Permalink to this heading"></a></h3>
<p>如果 Ceph 启用了认证， <code class="docutils literal notranslate"><span class="pre">ceph</span></code> 管理命令和客户端得有密钥才能访问集群。</p>
<p>给 <code class="docutils literal notranslate"><span class="pre">ceph</span></code> 管理命令和客户端提供密钥的最常用方法就是把密钥环放到 <code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code> 目录下。
Octopus 以及后续版本用 <code class="docutils literal notranslate"><span class="pre">cephadm</span></code> ，
其文件名通常是 <code class="docutils literal notranslate"><span class="pre">ceph.client.admin.keyring</span></code> 。
如果密钥环位于 <code class="docutils literal notranslate"><span class="pre">/etc/ceph</span></code> 目录下，
就不需要在 Ceph 配置文件里指定 <code class="docutils literal notranslate"><span class="pre">keyring</span></code> 选项了。</p>
<p>由于 Ceph 存储集群的密钥环包含 <code class="docutils literal notranslate"><span class="pre">client.admin</span></code> 密钥，
我们建议把这个密钥环复制到你执行管理命令的节点上。</p>
<p>手动执行这一步，执行下列命令：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span class="prompt1">sudo<span class="w"> </span>scp<span class="w"> </span><span class="o">{</span>user<span class="o">}</span>@<span class="o">{</span>ceph-cluster-host<span class="o">}</span>:/etc/ceph/ceph.client.admin.keyring<span class="w"> </span>/etc/ceph/ceph.client.admin.keyring</span>
</pre></div></div><div class="admonition tip">
<p class="admonition-title">Tip</p>
<p>确保给客户端上的 <code class="docutils literal notranslate"><span class="pre">ceph.keyring</span></code> 设置合理的权限位
（如 <code class="docutils literal notranslate"><span class="pre">chmod</span> <span class="pre">644</span></code> ）。</p>
</div>
<p>你可以用 <code class="docutils literal notranslate"><span class="pre">key</span></code> 选项把密钥写在配置文件里
（建议别用此方法），
或者在 Ceph 配置文件里用 <code class="docutils literal notranslate"><span class="pre">keyfile</span></code> 选项指定密钥文件的路径。</p>
<p><code class="docutils literal notranslate"><span class="pre">keyring</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>密钥环文件的路径。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">/etc/ceph/$cluster.$name.keyring,/etc/ceph/$cluster.keyring,/etc/ceph/keyring,/etc/ceph/keyring.bin</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">keyfile</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>密钥文件的路径（也就是，只包含密钥的文件）。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p>None</p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">key</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>密钥（就是密钥本身的文本字符串）。
我们不建议您使用此选项，
除非您清楚自己在干什么。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>String</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p>None</p>
</dd>
</dl>
</section>
<section id="id9">
<h3>守护进程密钥环<a class="headerlink" href="#id9" title="Permalink to this heading"></a></h3>
<p>管理员或部署工具（如 <code class="docutils literal notranslate"><span class="pre">cephadm</span></code> ）
生成守护进程密钥的方式和生成用户密钥的方式相同。
默认情况下， Ceph 会把守护进程的密钥存储在它自己的数据目录中。
默认的密钥环位置和守护进程运行必需的能力见下文。</p>
<p><code class="docutils literal notranslate"><span class="pre">ceph-mon</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">位置<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">$mon_data/keyring</span></code></p>
</dd>
<dt class="field-even">能力<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">mon</span> <span class="pre">'allow</span> <span class="pre">*'</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">ceph-osd</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">位置<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">$osd_data/keyring</span></code></p>
</dd>
<dt class="field-even">能力<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">mgr</span> <span class="pre">'allow</span> <span class="pre">profile</span> <span class="pre">osd'</span> <span class="pre">mon</span> <span class="pre">'allow</span> <span class="pre">profile</span> <span class="pre">osd'</span> <span class="pre">osd</span> <span class="pre">'allow</span> <span class="pre">*'</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">ceph-mds</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">位置<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">$mds_data/keyring</span></code></p>
</dd>
<dt class="field-even">能力<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">mds</span> <span class="pre">'allow'</span> <span class="pre">mgr</span> <span class="pre">'allow</span> <span class="pre">profile</span> <span class="pre">mds'</span> <span class="pre">mon</span> <span class="pre">'allow</span> <span class="pre">profile</span> <span class="pre">mds'</span> <span class="pre">osd</span> <span class="pre">'allow</span> <span class="pre">rwx'</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">ceph-mgr</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">位置<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">$mgr_data/keyring</span></code></p>
</dd>
<dt class="field-even">能力<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">mon</span> <span class="pre">'allow</span> <span class="pre">profile</span> <span class="pre">mgr'</span> <span class="pre">mds</span> <span class="pre">'allow</span> <span class="pre">*'</span> <span class="pre">osd</span> <span class="pre">'allow</span> <span class="pre">*'</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">radosgw</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">位置<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">$rgw_data/keyring</span></code></p>
</dd>
<dt class="field-even">能力<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">mon</span> <span class="pre">'allow</span> <span class="pre">rwx'</span> <span class="pre">osd</span> <span class="pre">'allow</span> <span class="pre">rwx'</span></code></p>
</dd>
</dl>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>监视器密钥环（即 <code class="docutils literal notranslate"><span class="pre">mon.</span></code> ）包含一个密钥，但不包含能力，
而且这个密钥环不是集群 <code class="docutils literal notranslate"><span class="pre">auth</span></code> （认证）数据库的一部分。</p>
</div>
<p>守护进程的数据目录位置遵循如下格式：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>/var/lib/ceph/$type/$cluster-$id
</pre></div>
</div>
<p>例如， <code class="docutils literal notranslate"><span class="pre">osd.12</span></code> 的数据目录如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">var</span><span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">ceph</span><span class="o">/</span><span class="n">osd</span><span class="o">/</span><span class="n">ceph</span><span class="o">-</span><span class="mi">12</span>
</pre></div>
</div>
<p>这些位置可以覆盖，但不建议那样做。</p>
</section>
<section id="index-1">
<span id="id10"></span><h3>签名<a class="headerlink" href="#index-1" title="Permalink to this heading"></a></h3>
<p>Ceph 施行的签名检查可以为消息提供一些有限的保护，
以防消息被在线篡改（比如被“中间人”攻击篡改）。</p>
<p>像 Ceph 认证的其他部分一样，客户端和集群间的消息签名也能做到细粒度控制；而且能启用或禁用 Ceph 守护进程间的签名。</p>
<p>注意，即便启用了签名，线路中的数据也没被加密。</p>
<p><code class="docutils literal notranslate"><span class="pre">cephx_require_signatures</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果把这个选项配置为 <code class="docutils literal notranslate"><span class="pre">true</span></code> ，
那么 Ceph 会要求对 Ceph 客户端与 Ceph 存储集群之间、
以及 Ceph 存储集群内守护进程之间的所有消息流量进行签名。</p>
</dd>
</dl>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><strong>陈年笔记：</strong></p>
<p>Ceph Argonaut 和版本号小于 3.19 的 Linux 内核都不支持签名；
如果用了这些版本的客户端，可以禁用 <code class="docutils literal notranslate"><span class="pre">cephx_require_signatures</span></code> ，
让客户端连接进来。</p>
</div>
<dl class="field-list simple">
<dt class="field-odd">类型<span class="colon">:</span></dt>
<dd class="field-odd"><p>Boolean</p>
</dd>
<dt class="field-even">是否必需<span class="colon">:</span></dt>
<dd class="field-even"><p>No</p>
</dd>
<dt class="field-odd">默认值<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">cephx_cluster_require_signatures</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果把这个选项设置为 <code class="docutils literal notranslate"><span class="pre">true</span></code> ，
那么 Ceph 要求对存储集群内
Ceph 守护进程之间的所有消息流量进行签名。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>Boolean</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">cephx_service_require_signatures</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果把这个选项设置为 <code class="docutils literal notranslate"><span class="pre">true</span></code> ，
那么 Ceph 要求对客户端和 Ceph 存储集群之间的所有消息流量进行签名。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>Boolean</p>
</dd>
<dt class="field-odd">是否必需<span class="colon">:</span></dt>
<dd class="field-odd"><p>No</p>
</dd>
<dt class="field-even">默认值<span class="colon">:</span></dt>
<dd class="field-even"><p><code class="docutils literal notranslate"><span class="pre">false</span></code></p>
</dd>
</dl>
<p><code class="docutils literal notranslate"><span class="pre">cephx_sign_messages</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>如果把这个选项设置为 <code class="docutils literal notranslate"><span class="pre">true</span></code> ，
并且这个 Ceph 版本支持消息签名，
那么 Ceph 将对所有消息进行签名，使其更难被欺骗。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>Boolean</p>
</dd>
<dt class="field-odd">默认值<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">true</span></code></p>
</dd>
</dl>
</section>
<section id="id11">
<h3>生存期<a class="headerlink" href="#id11" title="Permalink to this heading"></a></h3>
<p><code class="docutils literal notranslate"><span class="pre">auth_service_ticket_ttl</span></code></p>
<dl class="field-list simple">
<dt class="field-odd">描述<span class="colon">:</span></dt>
<dd class="field-odd"><p>当 Ceph 存储集群向 Ceph 客户端发送用于身份验证的票据时，
Ceph 存储集群会为该票据分配一个有效时间
(Time To Live, TTL) 。</p>
</dd>
<dt class="field-even">类型<span class="colon">:</span></dt>
<dd class="field-even"><p>Double</p>
</dd>
<dt class="field-odd">默认值<span class="colon">:</span></dt>
<dd class="field-odd"><p><code class="docutils literal notranslate"><span class="pre">60*60</span></code></p>
</dd>
</dl>
</section>
</section>
</section>



<div id="support-the-ceph-foundation" class="admonition note">
  <p class="first admonition-title">Brought to you by the Ceph Foundation</p>
  <p class="last">The Ceph Documentation is a community resource funded and hosted by the non-profit <a href="https://ceph.io/en/foundation/">Ceph Foundation</a>. If you would like to support this and our other efforts, please consider <a href="https://ceph.io/en/foundation/join/">joining now</a>.</p>
</div>


           </div>
           
          </div>
          <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
        <a href="../msgr2/" class="btn btn-neutral float-left" title="Messenger v2" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
        <a href="../mon-config-ref/" class="btn btn-neutral float-right" title="监视器配置参考" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>&#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).</p>
  </div>

   

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>